OAuth 2.0 identity providers#

Starburst Enterprise platform (SEP) includes support for OAuth 2.0 authentication. The following sections provide information about configuring and using the supported identity providers.

OpenID Connect metadata#

OpenID Connect servers publish their metadata at a well-known URL, typically https://authorization-server.com/.well-known/openid-configuration. Use the data returned by this endpoint to configure OAuth 2.0 authentication. Use the following values and SEP configuration properties:

OAuth2 configuration properties#

OpenID connect metadata field

SEP configuration property

authorization_endpoint

http-server.authentication.oauth2.auth-url

token_endpoint

http-server.authentication.oauth2.token-url

jwks_uri

http-server.authentication.oauth2.jwks-url

Supported Identity Providers#

The following sections detail the necessary configuration steps in the identity provider’s user interface and in SEP configuration.

Okta#

Create an Okta app

You can skip this step if you’re going to use an existing app integration.

Configure the client

Copy the client ID and client secret to http-server.authentication.oauth2.client-id and http-server.authentication.oauth2.client-secret.

Find the configuration URLs in Okta in Security > API > Authorization Servers. Choose the authorization server for your application, open up metadata uri, and use the content to configure the OpenID Connect metadata.

Also set the value of the Audience field for http-server.authentication.oauth2.additional-audiences.

Azure Active Directory#

Create an Azure AD app integration

  • Go to Microsoft Azure Portal > Azure Active Directory > App registrations > New registration.

  • Enter a name and choose Accounts in this organizational directory only (Starburst Data only - Single tenant) from Supported account types.

  • For Redirect URI use Web and the the OAuth 2.0 authentication callback URL https://<trino-coordinator-domain-name>/oauth2/callback.

  • Click Register.

You can skip this step if you’re going to use an existing app registration.

Configure the client

  • Go to Certificates & secrets and select New client secret.

  • Enter description and set an expiration period.

  • Copy the value of the secret to http-server.authentication.oauth2.client-secret.

  • Go to Expose an API and click Set next to Application ID URI.

  • The Application ID URI must be unique within your organization. For example: https://organization.com/d858d980d-71d5-4e86-8da8-5ea4cab5a8e1.

  • Select Add a scope in the Scopes defined by this API section.

  • Fill in a name, display name, and description. Choose Admins and users in from Who can consent? .

  • Click Add a client application in Authorized client applications.

  • Use the client ID and select the scope created in the previous step.

  • Set http-server.authentication.oauth2.scopes=https://your.company.com/d858d980d-71d5-4e86-8da8-5ea4cab5a8e1/user,openid.

  • Copy the value from Application (client) ID to http-server.authentication.oauth2.client-id.

  • Go to Overview > Endpoints, visit the URL under OpenID Connect metadata document, and use the content to configure the OpenID Connect metadata.

Active Directory Federation Services#

Create an AD FS Application Group

  • Open the AD FS application.

  • Choose Application Groups and Add Application Group.

  • Specify a name and use the Server application template.

  • Use the OAuth 2.0 authentication callback URL

    https://<trino-coordinator-domain-name>/oauth2/callback for Redirect URI.

  • Copy the value of the client ID to the http-server.authentication.oauth2.client-id property.

  • On the Configure Application Credentials step, use Generate a shared secret, and copy the generated secret to the http-server.authentication.oauth2.client-secret property.

You can skip this step if you’re going to use an existing app registration.

Configure the client

In order to find the configuration URLs, go to Service > Endpoints, and use the URL under OpenID Connect Discovery to configure the OpenID Connect metadata.

In addition, set the following properties:

`properties http-server.authentication.oauth2.additional-audiences=urn:microsoft:userinfo http-server.authentication.oauth2.scopes=openid `